[ldns-users] ldns-verify-zone question
Andy Linton
asjl at lpnz.org
Wed Apr 8 22:22:33 UTC 2009
Jelte Jansen wrote:
> Andy Linton wrote:
>> I've just started looking at DNSSEC and I'm using nsd and umbound on my
>> server ns1.lpnz.org
>
>> I've used ldns-signzone to sign notnil.org which gives me a file called
>> notnil.org.signed - this zone appears to load fine into nsd.
>
>> If I run the command:
>
>> ldns-verify-zone /etc/nsd/zones/notnil.org.signed
>
>> I get output that looks like this for each of the records in the zone file:
>
>> Checking: notnil.org.
>> Error: Error in SSL library for notnil.org. A
>> 28074:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
>> tag:tasn_dec.c:1294:
> <snip>
>
> I think you ran into an encoding bug in the conversion from openssl to dns data
> (during signing). If you are running ldns from source, could you please try
> attached patch?
>
> Jelte
Compiled and installed and I still get:
# ldns-verify-zone /etc/nsd/zones/notnil.org.signed
Checking: notnil.org.
Error: Error in SSL library for notnil.org. A
32365:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1294:
32365:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=DSA_SIG
More information about the ldns-users
mailing list